SAP takes the security of its vast product portfolio very seriously and thus releases security fixes for
vulnerabilities reported by external researchers and their customers every second Tuesday of the month.
SAP Note 3051005
was released on
14.12.2021 and deals with
"Cross-Site Scripting (XSS) Vulnerability in SAP Fiori Launchpad" within SAP UI5.
We advice you to follow the instructions, to resolve
Cross-Site Scripting (XSS)
low potential for exploitation
in component CA-FLP-ABA.
According to SAP Security Advisory team a workaround does not exist. It is advisable to implement the correction as monthly patch process.
Cross-site scripting (XSS) is the name of a class of security vulnerabilities that can occur in web-based
applications. XSS combines
affected web application.
Risk specificationSAP Fiori Launchpad does not sufficiently encode user-controlled inputs, resulting in Cross-Site Scripting (XSS) vulnerability.
The user input is now properly encoded to prevent a successful XSS attack.
- 9.0 [CVE-2020-6284] Cross-Site Scripting (XSS) in SAP NetWeaver (Knowledge Management)
- 8.8 [CVE-2021-42063] Cross-Site Scripting (XSS) vulnerability in SAP Knowledge Warehouse
- 8.2 [CVE-2020-6367] Cross-Site Scripting (XSS) vulnerability in SAP NetWeaver Composite Application Framework
- 6.5 [CVE-2019-0385] Cross-Site Scripting (XSS) vulnerability in SAP Enable Now
- 6.3 Cross-Site Request Forgery vulnerability in Enterprise Services Repository of SAP Process Integration